Cross site scripting attacks and same origin policy

xss same-origin-policy
16,778

Solution 1

Typically no.

A non-persistant or reflected XSS attack exploits input that is echoed back as page content without proper sanitization, without persisting it. The injected script will seem to come from the exploited domain in both cases.

For example if you do this in PHP: echo $_GET['param'] and send a link to the page to somebody containing ?param=<script>alert('got you!');</script> it is a non-persistant XSS attack, and same-origin policy has nothing to do with it.

Same-origin means that you cannot directly inject scripts or modify the DOM on other domains: that's why you need to find an XSS vulnerability to begin with.

Solution 2

SOP typically cannot prevent either XSS or CSRF.

For XSS, jakber's answer already provides a good explanation. I just want to add that the reason to call this vulnerability "cross-site" is because the attacker can inject code (e.g. <script src="...">) into the target page that loads malicious javascript from another website, which is typically controlled by the attacker. Loading Javascript from another website is not denied by SOP, because doing that will break the Web.

For CSRF, SOP cannot prevent it for most cases because SOP does not prevent website A to send GET and POST requests to website B.

Share:
16,778

Related videos on Youtube

Methos
Author by

Methos

I am Methos. Oldest amongst the immortals...

Updated on June 20, 2022

Comments

  • Methos
    Methos almost 2 years

    I am familiar with the persistent and non-persistent XSS. I also know about Same origin policy that prevents/restricts requests originating from one websites page to go to another websites servers. This made me think that the same origin policy can stop at least the non-persistent type of XSS attacks (Because in the persistent type of attack the malicious code origin would be same as the private information that is stolen). Is my understanding correct? Can SOP be used to stop/reduce these attacks?

    EDIT: Okay I was confusing between invoking methods between 2 scripts at the browser side and invoking methods such as HTTP POST on another website. Thank you for the answer jakber.

    Now I have another question, wouldn't SOP be able to prevent Cross-site request forgery? The example given in the wikipedia talks about Bob accessing a malicious image tag created by Mallory on the chat forum. However, as per the SOP rule, the malicious script should not be able to access bank's cookie. Am I missing something here?

  • Methos
    Methos over 12 years
    Thanks for the answer. Do you have any comments about my new edits?
  • jakber
    jakber over 12 years
    SOP doesn't apply to the src of images, style, iframe and script elements, nor to the target of forms for example. It does however apply to XmlHttpRequest, so it prevents this particular attack vector for CSRF. See also owasp.org/index.php/…
  • Magnus
    Magnus almost 6 years
    If I understand correctly, SOP does prevent GET. That is indeed the whole point of SOP, to prevent a script silently using an authenticated browser (authenticated with a cookie) from reading files from other pages (as such sources might be confidential if the browser is already authenticated). POST on the other hand, is allowed.
  • Steve
    Steve about 5 years
    @Magnus According to Mozilla, webpages can embed JavaScript from other origins.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Flutter: Web View Secure Origin
WARNING: sanitizing unsafe style value background-color
Avoid XSS and allow some html tags with JavaScript
Default escaping in Freemarker
How to use Encode.forHtml() in a javascript file?
What would cause a java process to greatly exceed the Xmx or Xss limit?
MvcHtmlString.ToHtmlString() not encoding HTML?
<script type="text/javascript">alert('Xss done');</script>
varchar vs text - MySQL
JAX-RS file downloads, multiple content types